Globe virus: can it be as dangerous as Cerber ransomware?

At first, it seemed that Globe virus is just another dull copy-paste ransomware that is not going to be spread widely. The initial version of it struck the world a couple of months ago, but since then the ransomware has been updated several times already. Interestingly, this malicious program demonstrates certain references to the movie Purge [1] throughout the hijack. However, speaking of its structure, it does not differ much from other infamous cyber infections which demand ransom for the locked data. Virus researchers speculate that the infection belongs to the group of malware which mainly targets devices via corrupt email attachments distributed by the malicious spam campaigns. Such distribution technique is already considered the most active one and been actively used with such ransomware threats as Cerber or Osiris ransomware. [2] If your computer was assaulted as well, what you should do first is collect yourself and concentrate on Globe removal options. There is no need to wait around for your personal files to self-decrypt because this will never happen. The hackers would rather destroy your personal data completely than give it away for free. Besides, even paying up may not help. The sad statistics show that a large part of ransomware victims never get the promised decryption key and their personal files remain locked [3]. Luckily, virus researchers have already obtained a sample of Globe ransomware and managed to bypass the encryption. We will put a link to the decryption tool next to other data recovery methods which may come in handy if you are infected by some other version of the virus on which this decryption tool may not be effective.

Globe virus might be still under development, but it is growing quite steadily. Lately, new versions – Globe2, Kyra, and x3m Globe have been released. Users residing in Central Asia were among the first targets of this malware, but now its infiltration cases are being registered in other parts of the world. There are speculations that the threat might evolve to the state when it starts attacking small and major enterprises. The file entitled “How to restore your files.hta,” which the virus saves on the desktop, delivers the essential instructions on how to recover the files. The victims are supposed to contact hackers using this email address – powerbase@tutanota.com (or a different one – it depends on the version of this ransomware) by which further instructions for payment and the amount of demanded ransom are to be delivered. Speaking of the ransom, its sum varies each time. It is speculated it fluctuates from 1 to 3 BTC. It is unwise hoping to retrieve the files after remitting the payment. Instead, remove Globe immediately.

Moreover, the same .url.powerbase@tutanota.purge extension is added to all the blocked files. Unlike other threats, the virus seems to be using Blowfish encryption method rather than popular AES. Within seconds, vssadmin.exe and bcdedit.exe are executed, and the threat finishes decrypting files. Currently, the virus can affect around 995 types of files. The virus is quite aggressive as it may also corrupt the files located in Program Files or local drives. In addition, the virus seems to behave quite aggressively as it encrypts more and more files after each system reboot. Globe malware deletes all shadow copies and turns off Windows Startup Repair. Therefore, it is of utmost importance to exterminate the threat as soon as possible. In order to do that, let Reimage help you. Lastly, we would like to warn not to install any file-decrypting software or Globe Decrypter promoted by the hackers. You should use only legitimate tools to succeed in recovering the files that are currently locked [4].

List of malware related to Globe ransomware:

Globe2 ransomware virus. This virus has been detected at the beginning of October in 2016. As a ransomware-type virus, this virus encrypts data and commands to contact cyber criminals via email. The only way to communicate with them is to send a letter to help_you@india.com email address. It is not hard to understand what criminals want in exchange for the decryption software – money. Luckily, victims no longer need to pay ransoms as the antidote for this computer infection has already been discovered, so if you have been attacked by this malicious virus, use a free Globe2 decryption tool to restore encrypted data. Full instructions on how to remove Globe 2 and restore files are provided in this article.

Russian Globe ransomware virus (also known as BlackBlock virus). The Russian version of this crypto-ransomware virus has been spotted in November 2016. This ransomware version can be easily identified because it appends .blackblock file extensions to encrypted data, and typically asks for 0.5 Bitcoin in exchange for the decryption software. Just like the previous versions, this one employs RSA encryption to render personal files useless. When it finishes the filthy data encryption procedure, it launches “How to restore files.hta” file, which provides information about the encryption. This file is widely known as “the ransom note,” and it commands the victim to write to cyber criminals’ email in order to find out possible decryption methods. The victim can also use Bitmessage to reach out to the perpetrators.

Kyra ransomware virus. This one has been released right after BlackBlock virus, and it is very similar to it as well. The only difference is that Kyra virus ads .kyra file extensions to corrupted files, and asks for a slightly higher ransom – 1.0 Bitcoin. The ransom note asks the victim to contact criminals via support-locking@india.com or support-decrypt@india.com, or again via BitMessage. The victim is asked to provide personal ID and wait for further instructions on how to pay the ransom to get the decryption tool. Sadly, criminals are not obliged to provide you with Kyra decryption software even if you pay up, so we suggest you think twice before doing so. We believe that you should not waste your money and get a trustworthy computer protection tool instead. You can recover lost files from a backup if you have it – just make sure you remove Kyra virus first.

Duhust ransomware virus. This is a newly detected version of the original cyber infection. It has been named after its file extension it attaches to every encoded file – .duhust extension. The virus continues the tradition of employing AES and RSA algorithms for data encoding. The developers also decided to make another diversion. In the ransom note, they present duhust@india.com for public communication. Regarding this feature, it seems that the crooks are the same who keep terrorizing the virtual world with @india.com themed viruses. They are not so widely spread as Locky or Cerber, but the continuous attempts to modify and improve the immunity of cyber threat seem alarming. What is more, the hackers already have become widely known for their multiple threats. Some of them possess amusing titles. However, the recent versions Suppteam01@india.com and Suppteam03@india.com trigger assumptions that it might be related to another notorious file-encrypting virus – CryptoLocker.

x3m Globe ransomware virus is another new member that has been recently added to the Globe ransomware family. A version of Globe has been spotted adding .x3m extensions to the encrypted files which earned the program its name. The virus is especially dangerous for the users who have no backup copies of their personal files since it encrypts the data stored on the computer with a complex algorithm that changes the inner structure of these into a jumble of characters. This encryption can be turned into normal files again only with the private key which the criminals promise to provide if the victim contacts them via mkscorpion(@)india.com email. Apart from dropping a ransom note on every of the infected computer folders, the virus places data recovery instructions on the desktop as well, ensuring that the victim really notices them. x3m Globe most likely arrives into the users computers through pirated software or email spam, so be careful not to download it by accident.

Grapn206@india.com ransomware virus. In response to other mainstream viruses, the developers of Globe made a move again. In the past few weeks, they presented several major improvements. Speaking of this latter version, it does not differ much from the previous versions. The only obvious new feature is the appended extension. Now the malware marks all corrupted data with .grapn206 extension. Usual encryption methods. AES and RSA, are also characteristic to this ransomware. Beware of lolka.exe1 file which distributes the binary with the virus within. The crooks might disguise it in a spam attachment or a trojan. Since it is another virus from @india.com viruses, it might also target users via trojans, exploit kits which lurk in infected domains. Do not waste time and proceed to the virus elimination as it is futile to expect the crooks to return the data.

Banij2@india.com ransomware is the latest example of Globe virus that showed up in the beginning of 2016. This version started spreading around in US. However, soon it showed up in Russia, Germany and UK. The name for this Globe variant was given according to the extension which is added by this malware to each of the target files. Just like previous its versions, it can easily encrypt videos, music files, business documents and similar data with its built-in encryption engine. The only way to stay safe and avoid this ransomware is to protect your computer with the reliable anti-spyware. The next step which is also recommended by security experts is to make backup copies of all of your files that are important to you. Make sure you keep them disconnected from your computer to avoid Banij2@india.com file virus.

.LoveWindows file extension virus. In December 2016, Globe2 virus emerges with a brand new malware variant that adds .lovewindows file extension to encrypted files. Just like previous Globe ransomware versions, the new one uses RSA cipher to encrypt target files securely and prevent the user from accessing them. To decrypt files, the user needs to write to bahij2@india.com email and get instructions from culprits directly. Currently, the Globe2 decrypter is not updated and cannot restore files encrypted by this version, but it might be able to do it soon. Therefore, keep your money to yourself and do not pay the ransom to nasty scammers who have infected your system with ransomware. We suggest you remove .lovewindows virus as soon as you can. The best way to do it is to rely on automatic malware removal tool. If you do not have one yet, consider installing one of the ones we recommend: Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus, or Malwarebytes Anti Malware.

Fake Globe ransomware. Fake Globe virus, or Globe Imposter virus, uses AES encryption to corrupt files on a target computer and decorates their names with .crypt file extensions. The virus uses almost identical ransom note and also drops HOW_OPEN_FILES.hta file on the system. This Globe Impersonator wants 1 Bitcoin as a ransom (around 800 USD), which needs to be sent to a provided Bitcoin wallet address. Then the Fake Globe ransomware asks the victim to send a screenshot of payment to alex_pup@list.ru email. The executive file is called подтверждение.exe (the name translates to The Confirmation). It is not a variant of Globe, but it is designed to look similarly to the original virus, most likely to appear more scary. The virus is now decryptable and you can download the free Globe Imposter decrypter from the official Emsisoft website.

Globe3 ransomware has just hit the web which suggests that after unsuccessful attempts with Globe and Globe2, the extortionist have decided to give it another go. The virus has been modified using the same ransomware builder that the hackers have used in the previous virus versions. Globe 3 now uses AES-256 encryption to lock the computer files and adds .decrypt2017 and .hnumkhotep extensions next to their original titles. For the file decryption key, the scammers demand 3 Bitcoin which is a grand sum compared to 0.5 or 1 Bitcoin typically demanded by other ransomware developers. Luckily, you do not have to empty your bank account since virus experts have already come up with a free Globe3 decrypter which you can download by clicking the indicated link. Just do not forget to remove the virus not to get your files locked again!

Ways of distribution

As previously mentioned, Globe hijack occurs after opening the infected email attachments. If you are following the news in the IT world, you may know how advanced the hackers are in persuasion techniques. They make up almost identical tax return or customs declaration forms. Alternatively, cyber criminals create false telecommunication forms asking for confidential information. Some crooks try to convince users into opening the infected attachment by asking to review package delivery attachment. In either case, stay vigilant and avoid recklessly opening the emails even if they look like to be sent from the official institutions. Inquire the company directly to brush aside any hesitations and teach your employees about such viruses as Globe ransomware [5].

Remove Globe malware for good

Regarding the peculiarities of this ransomware and its possible upgrade, you should remove Globe virus automatically. Install Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus which will conduct the elimination shortly. These programs provide a powerful protection for the entire operating system. Taking into account the possibility that the ransomware may infect through exploit kits, the presence of such tools is obligatory. However, security programs do not unlock the encrypted files, so you will need to look for data recovery programs. Lastly, if you struggle to start Globe removal because some essential functions of the operating system do not work, feel free to use the guidelines provided below on this page.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Globe ransomware virus you agree to our privacy policy and agreement of use.

Reimage is recommended to uninstall Globe ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Globe removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Data recovery with Data Recovery Pro method

Follow the steps of Data Recovery Setup and install the program on your computer;

Launch it and scan your computer for files encrypted by Globe ransomware;

Restore them.

Data recovery using Windows Previous Versions feature

If you had System Restore function enabled before Globe attack, you can try recovering your files using Windows Previous Versions method here:

Find an encrypted file you need to restore and right-click on it;

Select “Properties” and go to “Previous versions” tab;

Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Data recovery using ShadowExplorer method

ShadowExplorer detects Shadow Volume Copies of the files stored on the computer. Please note that if these backup files are affected by the virus or deleted from the system completely, this method will not work.

Follow a Shadow Explorer Setup Wizard and install this application on your computer;

Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;

Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Data recovery using Globe decrypter

You can decrypt files locked by this ransomware using a free Globe decrypter, which has been recently released online. This specific tool works for .purge, .globe and.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg.xtbl extensions, so if you are infected with some other, newer variant of Globe, you may have to go back to the above-mentioned methods.